Command Reference Gui

The win32k.sys suite of plugins analyzes GUI memory. Most of these plugins are more thoroughly described (including details on underlying data structures, example use cases, etc) on the Volatility Labs Blog, so the content here is just a quick summary.

sessions

This command analyzes the unique _MM_SESSION_SPACE objects and prints details related to the processes running in each logon session, mapped drivers, paged/non-paged pools etc. The alternate process lists output by this plugin are leveraged by the psxview plugin for rootkit detection. For more information, see MoVP 1.1 Logon Sessions, Processes, and Images.

wndscan

This command scans for tagWINDOWSTATION objects and prints details on the window station, its global atom table, available clipboard formats, and processes or threads currently interacting with the clipboard. For more information see MoVP 1.2 Window Stations and Clipboard Malware.

atomscan

This command scans physical memory for atom tables. For each table found, it enumerates the bucket of atoms - including session global atoms and window station global atoms. It does not include process local atoms. Atoms are reported the order in which they were found, unless you specify --sort-by=atom (sorts by atom ID) or --sort-by=refcount (sorts by number of references to the atom). Using this plugin you can find registered window messages, rogue injected DLL paths, window class names, etc. For more information see MoVP 2.1 Atoms (The New Mutex), Classes, and DLL Injection.

atoms

This command is similar to atomscan above, but it allows us to associate atom tables with their owning window station. We need this command in conjunction with atomscan because there are many reasons an atom must be tied to its session or window station (for example when resolving ihmod values from windows message hooks or event hooks.

clipboard

This command recovers data from users' clipboards. It walks the array of tagCLIP objects pointed to by tagWINDOWSTATION.pClipBase and takes the format (i.e. unicode, ansi, ole, bmp) and the handle value. Then it walks the USER handle table (also see the userhandles plugin) and filters for TYPE_CLIPDATA objects. It matches the handle value of those objects with the handles from tagCLIP so that a format can be associated with the raw data. For more information, see MoVP 3.4: Recovering tagCLIPDATA What's In Your Clipboard?.

The output below shows an extracted unicode command that a user had copied to the clipboard:

eventhooks

This command enumerates event hooks installed via the SetWinEventHook API. It prints the minimum and maximum event IDs to which the hook applies, the targeted threads, owning processes, and offset to the hook procedure. For more information, see MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem.

gahti

This command uses an algorithmic approach to finding the win32kgahti symbol which is an array of tagHANDLETYPEINFO structures - one for each type of USER object for the system. Windows XP has typically 20 objects and Windows 7 has 22, including TYPE_FREE. The plugin shows you the 4-byte tag associated with allocations, where the objects are allocated from (desktop heap, shared heap, session pool), and how the objects are owned (thread owned, process owned, or anonymous). For more information, see MoVP 3.3 Analyzing USER Handles and the Win32k Gahti.

messagehooks

This command prints both local and global message hooks, installed via SetWindowsHookEx APIs. This is a common trick used by malware to inject code into other processes and log keystrokes, record mouse movements, etc. For more information, see MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem.

screenshot

This command takes a screenshot from each desktop on the system. The screenshot is a wire-frame diagram, with labeled window titles, according to the Z-Order (i.e. front to back) arrangement of the windows and their coordinates at the time of the memory dump. For more information, see MoVP 4.3 Taking Screenshots From Memory Dumps.

$ python vol.py -f users.vmem --profile=Win7SP1x86 screenshot -D shots/
Volatility Foundation Volatility Framework 2.4
Wrote shots/session_0.Service-0x0-3e4$.Default.png
Wrote shots/session_0.Service-0x0-3e5$.Default.png
Wrote shots/session_0.msswindowstation.mssrestricteddesk.png
Wrote shots/session_0.Service-0x0-3e7$.Default.png
Wrote shots/session_1.WinSta0.Default.png
Wrote shots/session_1.WinSta0.Disconnect.png
Wrote shots/session_1.WinSta0.Winlogon.png
Wrote shots/session_0.WinSta0.Default.png
Wrote shots/session_0.WinSta0.Disconnect.png
Wrote shots/session_0.WinSta0.Winlogon.png
Wrote shots/session_2.WinSta0.Default.png
Wrote shots/session_2.WinSta0.Disconnect.png
Wrote shots/session_2.WinSta0.Winlogon.png

Here's an example of one of the desktops:

userhandles

This command locates the session-specific tagSHAREDINFO structure, walks the aheList member (an array of _HANDLEENTRY) structures. It determines if each handle entry is thread or process owned, shows the object type, and its offset in session space. This plugin is not very verbose, its just meant to show an overview of the USER objects currently in use by each thread or process; and it serves as an API for other plugins that do want verbose details on an object type. For example the gditimers and eventhooks plugins leverage the APIs from this plugin. For more information, see http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html MoVP 3.3 Analyzing USER Handles and the Win32k Gahti.

gditimers

This command leverages the USER handle table API as described above and for each TYPE_TIMER, it dereferences the object as a tagTIMER and prints details on the fields. Malware uses timers often to schedule routine functions, such as contacting a C2 server or making sure a hidden process remains hidden. For more information, see MoVP 4.1 Detecting Malware with GDI Timers.

windows

This command enumerates all windows (visible or not) in all desktops of the system. It walks windows in their Z-Order (i.e. front to back focus) starting at the desktops spwnd value (the foreground window). For each window it shows details on the window's title, class atoms, the owning thread and process, the visibility properties, the left/right/top/bottom coordinates, the flags and ex-flags, and the window procedure address. For more information on windows, see MoVP 2.2 Malware In Your Windows.

wintree

This command enumerates windows in the same way as the windows command above, but it prints less verbose details so that the parent/child relationship can be easily expressed in a tree form. Instead of a "flat" view, you can see which windows are contained within other windows.